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DETAILED ACTION 

Continued Examination Under 3 7 CFR hi 14 

1 . A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1 .17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1. 17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.114. Applicant's submission filed on 28 April 2005 has been entered. 

2. Claims 1-29 have been presented for examination. 

Response to Arguments 

3. Applicant's arguments with respect to claims 1-29 have been considered but are moot in 
view of the new ground(s) of rejection. 

4. See further arguments that follow. 

Claim Rejections 

5. The following is a quotation of the appropriate paragraphs of 35 U.S. C 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(a) the invention was known or used by others in this country, or patented or described in a printed publication in this 
or a foreign country, before the invention thereof by the applicant for a patent. 

6. Claims 1-29 are rejected under 35 U.S.C. 102(a) as being anticipated by CenterTrack: 
An IP Overlay Network for Tracking DoS Floods, by Robert Stone. 

7. As per claim 1, Stone teaches a method for tracking denial-of-service floods, the method 
comprising: 
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rerouting a DoS flood attack datagram to a tracking router, wherein the tracking router 
forms an overlay tracking network with respect to an egress edge router (Abstract, page 1, i.e. 
"CenterTrack is an overlay network, consisting of EP tunnels, that is used to selectively reroute 
interesting datagrams directly from edge routers to special tracking routers/' "the datagrams can 
be examined, then dropped or forwarded to the appropriate egress point"); 

identifying, by the tracking router, an ingress edge router that forwarded the DoS flood 
attack datagram (Abstract, page 1, i.e. "the tracking routers can easily determine the ingress edge 
router by observing which tunnel the datagrams arrive on"). 

8. Regarding claim 2, Stone teaches executing security diagnostic functions (3,3 
Advantages and Disadvantages, page 3, i.e. "hop-by-hop with overlay network: With this 
method, specialized diagnostic features are now only required only on edge routers and special- 
purpose tracking routers"). 

9. With regards to claims 3 and 15, Stone teaches wherein the security diagnostic functions 
comprise input debugging (page 2, first column, i.e. "Input debugging refers to the diagnostic 
features required to determine what adjacency originated a packet matching an attack signature 
on an individual router"). 

10. Regarding claims 4 and 16, Stone teaches wherein the overlay tracking network is within 
an autonomous system that is different from another autonomous system corresponding to the 



Application/Control Number: 09/469,505 Page 4 

Art Unit: 2131 

ingress edge router and the egress edge router (4.2 Routing Architecture, page 4, i.e. "network 
as an external autonomous system using BGP"). 

1 1 . With regards to claims 5, 1 1, and 17, Stone teaches providing routing information by the 
overlay tracking network to the ingress edge router and the egress edge router using an inter- 
administrative-domain routing/signaling protocol (4.2 Routing Architecture, page 4, i.e. 
"network as an external autonomous system using BGP"). 

12. Concerning claims 6, 12, and. 18, Stone teaches wherein the inter-administrative-domain 
routing/signaling protocol is BGP (Border Gateway Protocol) (4,2 Routing Architecture, page 
4, i.e. "network as an external autonomous system using BGP"). 

13. Regarding claims 7, 19, and 23, Stone teaches communicating between the edge routers 
and the tracking router via tunnels that are created over an unreliable datagram delivery service 
protocol (5.2 Dynamic routing with Tunnels, page 6). 

14. Regarding claims 8, 20, and 24, Stone teaches communicating between the edge routers 
and the tracking router via virtual connections over a separate lower layer protocol (4.4 
Tracking Router Capabilities, page 5, i.e. using IP tunnels). 

15. Regarding claims 9, 21 and 25, Stone teaches communicating between the edge routers 
and the tracking router via physical connections (5.4 Tunnel Termination, pages 6-7). 
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16. Regarding claim 10, Stone teaches routing the DoS flood attack datagram from the 
ingress edge router to the tracking router, wherein the egress edge router has a static route to the 
victim (6.1 Static Routes, pages 7-8, i.e. "a static route for the victim, pointing through the 
egress edge adjacency"). 

17. Concerning claims 13 and 27, Stone teaches further comprising establishing another 
static route between the egress router and an external router associated with a victim node, the 
victim node receiving the DoS flood attack datagram (6.1 Static Routes, pages 7-8, i.e. "a static 
route for the victim, pointing through the tunnel to the egress edge router"). 

18. As per claim 14, Stone teaches a communication system for tracking denial-of-service 
(DoS) floods, the communication system comprising: 

a plurality of edge routers including an ingress edge router and an egress edge router, 
each of the edge routers being configured to perform security diagnostic functions, in part, to 
identify a DoS flood attack datagram, wherein the ingress edge router is associated with a source 
of the DoS flood attack datagram (Figure 2, 5.1 Example Network, pages 5-6, 4 CenterTrack 
Design Issues, pages 4-5, i.e. edge routers must be able to perform input debugging, 6.2 Hop- 
by-Hop Tracking, i.e. find the source of the attack); and, 

a tracking router adjacent to the egress edge router, the tracking router being configured 
to perform the security diagnostic functions, the ingress edge router rerouting the DoS flood 
attack datagram to the tracking router as to permit identification of the ingress edge router, 
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wherein the tracking router forms an overlay tracking network with respect to the plurality of 
edge routers (4.1 Tracking Adjacencies, page 4 5 4 CenterTrack Design Issues, pages 4-5, i.e. 
tracking routers must be able to perform input debugging, 6.2 Hop-by-Hop Tracking, i.e. find 
the source of the attack). 

19. Regarding claim 22, Stone teaches wherein the overlay tracking network further 
comprises additional tracking routers (5.6 Tracking System IGP and IBGP, page 7, i.e. 
"tracking routers are fully meshed over tunnels"). 

20. Regarding claim 26, Stone teaches wherein the ingress edge router routes the DoS flood 
attack datagram to the tracking router due to a dynamic routing update from the tracking router 
(5.2 Dynamic Routing with Tunnels, page 6). 

21 . As per claim 28, Stone teaches a computer-readable medium carrying one or more 
sequences of one or more instructions for tracking denial-of-service floods (DoS), the one or 
more sequences of one or more instructions including instructions which, when executed by one 
or more processors, cause the one or more processors to perform the steps of: 

receiving a DoS flood attack datagram on an overlay network formed by a tracking router 
(Abstract, page 1, i.e. "CenterTrack is an overlay network, consisting of IP tunnels, that is used 
to selectively reroute interesting datagrams directly from edge routers to special tracking 
routers."); 
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identifying the DoS flood attack datagram (Abstract, page 1, i.e. "the datagrams can be 
examined, then dropped or forwarded to the appropriate egress point"); 

identifying, by the tracking router, a previous hop router associated with the DoS flood 
attack datagram to determine an ingress adjacency associated with the DoS flood attack (6.2 
Hop-by-Hop Tracking, page 8). 

22. Regarding claim 29, Stone teaches wherein the computer readable medium further 
includes instructions for causing the one or more processors to perform the steps of: 
instructing the previous hop router to identify a respective previous hop router associated with 
the DoS flood attack datagram (6.2 Hop-by-Hop Tracking, page 8). 

Conclusion 

23. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Christian La Forgia whose telephone number is (571) 272-3792. 
The examiner can normally be reached on Monday thru Thursday 7-5. 

24. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 
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25. Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Christian LaForgia . - - Q 



Patent Examiner 
Art Unit 2131 




SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 



